HIPAA and Research

A presentation at California Pacific Medical Center
Research Institute
April 8, 2003

Given by Diane M. L. Lee
Partner
Davis Wright Tremaine LLP
San Francisco, CA 94111

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996 (P.L.)

  • Administrative Simplification – establishing rules for standard electronic transactions in health care

  • Security Rule – establishing standards for secured electronic transactions

  • Privacy Rule – establishing standards for maintaining the privacy of individually identifiable health information that is obtained, maintained or transmitted in electronic form


    • Challenge of HIPAA
  • Final privacy regulations effective 4/03
  • Penalties: up to $25,000 CMP per year; up to $50,000 in criminal penalties and/or up to one year in prison for each violation
  • No private right of action
  • Pre-empts state law, but only to the extent it is more stringent than state.
  • Where both apply, follow the rule that is more stringent (i.e. protective to the subject)


    • Compare: CA Law

    California Confidentiality of Medical Information Act

  • Private right of action. Civil Code 56.36
  • A misdemeanor
  • Action on license under practice acts
  • Can be prosecuted by the AG, DA, county counsel, city attorney, city prosecutor.

    Remedies
  • Nominal damages (no showing of actual damage ($1000) + actual damages
  • Negligent disclosures $2,500 per violation, with no showing of damages

    Knowing & willful use or disclosures:
  • Non-professional person or entity - $25,000 per violation
  • Health professionals - $2,500 first violation; $10,000 second; $25,000 third

    Knowing & willful use or disclosures for financial gain
  • Non-professional person or entity - $250,000 per violation + disgorgement
  • Health professionals - $5,000 first violation; $25,000 second; $250,000 third + disgorgement

    Unauthorized use/disclosure by person or entity not authorized to receive information - $250,000 per violation

    HIPAA Definitions/Acronyms

    Protected Health Information or PHI:

  • demographic information, whether oral or recorded in any form or medium that is
  • created or received by a covered entity
  • relates to the past, present, or future physical or mental health or condition of an individual, or the past, present, or future payment for the provision of health care to an individual
  • that identifies the individual, or about which there is a reasonable basis to believe that such information can identify an individual

    Treatment, Payment or Healthcare Operations or TPO:
  • Research is not considered Treatment or Operations
  • Exception: De-identifying data and creating limited data sets are health care operations
  • Consents: Providers may, but are not required to obtain consents to disclose PHI for TPO
  • Authorizations: Required for all disclosures/uses of PHI by Covered Entity outside of TPO
  • Covered Entity: A health plan, a clearing-house, or a health care provider who transmits health information in electronic form.
  • Business Associate: A person who performs a function or activity on behalf of a covered entity that involves the use or disclosure of individually identifiable health information, other than as member of the covered entity’s work force.
  • Workforce: employees, volunteers, trainees, and other persons whose conduct in performing of work for a covered entity is under the direct control of the covered entity, whether or not they are paid by the covered entity.

    • Back to top

    General Rules

    A covered entity may not use or disclose PHI except as permitted under the Privacy Rule

    Permitted uses/disclosures:

  • to the individual
  • for TPO, without authorization
  • incident to a permitted use
  • with authorization


    • Required disclosures
  • To the individual when requested under 164.524 and 164.528
  • To the DHHS Secretary to investigating HIPAA compliance

    Covered entity must:
  • Comply with administrative requirements of HIPAA (privacy officer, person to receive complaints, conduct & document training, establish P&P, provide NPP etc.)
  • Enact reasonable administrative, technical and physical safeguards to protect privacy
  • Make reasonable efforts to use and disclose minimum necessary PHI to accomplish the intended purpose of the use or disclosures.
    - Minimum necessary doesn’t apply to treatment
    - Limit access to PHI to persons in workforce who need it to carry out their duties.

    Disclosures of PHI for Research Purposes
  • With a written authorization that meets regulatory requirements
  • Without authorization, if:

    The info is decedent’s PHI for research on decedents

    The disclosure is for research preparatory activities

    The info properly de-identified

    The covered entity’s IRB waives the requirement of authorization (“IRB Waiver

    The covered entity obtains adequate assurance from an expert that the information cannot be use to identify an individual (“Statistical Waiver”)

    The disclosure is for public health purposes, including to public registries and FDA safety monitors

    The disclosure is a Limited Data Set, subject to a Data Use Agreement, and can include disclosures to private registries

    Disclosure Pursuant to a Proper Authorization

  • Elements of a valid authorization
    1. A specific and meaningful description of the information to be used or disclosed;
    2. Name of the investigator or other person or class of persons authorized to make the requested use or disclosure
    3. Name or other specific identification of the persons or class of persons to whom the investigator or CPMC workforce members may use or disclose the information being requested
    4. A description of each purpose of the use of the requested disclosure
    5. An expiration date that relates to the individual or the purpose or use of the disclosure.
  • HIPAA allows using “none” or “end of research study”
  • However, CA law requires a specific expiration date.

    • 6. The signature of the subject and the date; if signed by someone else, the person’s legal authority included
  • Who can consent/authorize follows State law, which recently changed with respect to certain types of research on incompetent persons

    • 7. A statement that the individual has a right to revoke the authorization and a description of how the authorization can be revoked
  • If this information is contained in the Notice of Privacy Practices, include a cross reference to Notice
  • May condition the provision of research-related treatment on the provision of an authorization for the use or disclosure of PHI

    • 8. The authorization must be written in plain language
    9. A copy of the signed authorization must be provided to the subject
    10. May be combined with the Informed Consent Form. Your IRB is requiring a separate authorization.
    45 CFR 164.508(b)(3)(ii)

    Disclosure of Decedent’s PHI Without Authorization

  • A covered entity may disclose PHI of deceased individuals without authorization from the decedent’s personal representative or estate if:
    - The use or disclosure is sought solely for research on the PHI of decedents; and
    - At the covered entity’s option, there is documentation that the individual to whom the PHI belongs is dead.
    - The researcher makes representations as to the foregoing

    45 CFR 164.512 (i)(1)(iii)

    Disclosure of PHI for Research Preparatory Activities

    Can be disclosed without authorization if:

  • The use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research
  • No PHI is removed from the premises of the covered entity in the course of review
  • The PHI is necessary for research purposes
  • The requester provides a representation to the covered entity with respect to the foregoing uses.
    45 CFR 164.512(i)(1)(ii)

  • Covered entities (physicians, hospitals) may use the PHI of their existing patients, without written authorization, as a basis for discussing with such patients enrollment in a clinical trial
  • But could not permit a third party do so under this exception
  • Run through IRB or seek IRB waiver

    • De-Identified Data

  • Must remove all identifiers specified in 45 CFR 164.514(b)(2)(i)
  • De-identified data is no longer PHI
  • Can be disclosed without obtaining a waiver or entering into an agreement with the recipient, provided that:
  • The covered entity does not disclose to the recipient the re-identification code, the mechanism for deploying the re-identification code, or any information that would allow the recipient to re-identify the information;
  • The covered entity has no actual knowledge that the information used alone or in combination with other information could identify an individual. 45 CFR 164.514(b)(2)(ii)
  • HIPAA appears to permit the same person or entity to receive PHI and convert it to de-identified data, acting as a “business associate of the covered entity while conducting the de-identification, and subject to a business associate agreement
  • Query: How does the covered entity assure itself that the recipient will not have information and technology to re-identify?

    • De-Identification Standards

    Remove all of the following related to the subject and family members

  • Names, Social Security Number
  • Geographic subdivisions smaller than a State
  • Address, city, county. precinct
  • Zip code or equivalent geocode
  • Telephone numbers, fax numbers
  • E-mail address, Universal Resource Locator (URL), Internet Protocol (IP) address
  • Medical record number
  • Health plan beneficiary number
  • All elements of dates (except year) for dates related to an individual, including birth date, admission date, discharge date, date of death
  • All ages over 89, all elements of dates (including year) indicative of age, except an aggregated single category of “90 or older” is permissible
  • Account number, certificate/license number
  • Vehicle identifiers, serial numbers and license plate number
  • Device identifiers and serial numbers
  • Biometric identifiers, voice and finger prints
  • Full face photographs and comparable images
  • Any other unique identifying number, characteristic or code

    • IRB Waivers

    The IRB may waive or modify the requirement of individual authorization if the IRB determines that:
    1. No more than minimal risk to the privacy of individuals is involved because:
    a. There is adequate plan to protect the identifiers from improper use or disclosure;
    and
    b. There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research justification for retaining the identifiers or retention is required by law;
    and
    c. There are adequate written assurances that the PHI will not be re-used or disclosed to any other person or entity except as required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA regulations

    2. The research cannot practicably be conducted without the alteration or waiver; and
    3. The research cannot practicably be conducted without access to and use of the PHI.
    45 CFR 164.512(i)(2)(iii)

    4. If the waiver or request for modification of the authorization is related to an FDA regulated trial, the IRB must use the DHHS rules (the “Common Rule”) for reviewing the whether to waive or modify the authorization to use or disclose PHI in connection with research.
    5. The waiver must be documented in a writing that meets regulatory requirements.

    Documentation of IRB Waivers

    The written documentation must contain:

  • The name of IRB and the date the action was taken;
  • A statement that the IRB has determined that the waiver or modification specifically satisfies all the criteria (1-3) listed above;
  • A brief description of the PHI for which use and disclosure has been determined to be necessary for the research study;
  • A statement that the indicates whether the IRB used normal or expedited review procedures; and
  • The signature of the IRB Chair


    • "Statistical” or “Expert” Waivers of Authorization

    IRB may seek an expert opinion that disclosure of health information would create minimal risk that the recipient would be able to identify the individual

    The expert:
  • Must have knowledge of and experience with generally accepted statistical and scientific principles and methods for rending information not individually identifiable
  • Should not have a financial interest in the outcome of the disclosure
  • Must determine that the risk is very small that the information could be used, alone or in combination with any other reasonably available information, by an anticipated recipient to identify the individual who is the subject of the information
  • The expert must document the method and results of the analysis to justify the determination.


    • 45 CFR 164.514(b)

    Disclosures for Public Health Purposes

    Disclosure of PHI for public health purposes can be made without individual authorization. 45 CFR 164.512(b)(i)

    Includes disclosures:

  • For FDA monitoring activities
  • To public registries
    - The registry must be authorized by law to collect or receive the information for the purpose of controlling disease, injury or disability

    General rules:

    1. The disclosure is subject to the “minimum necessary” standard
    However, the covered entity may rely on the public authorities’ determination of the minimum necessary

    2. Where disclosure is routine and recurring, covered entities may establish standard protocols for what may be disclosed as part of their policies and procedures to implement the minimum necessary standards

    FDA Monitoring

    Disclosures can be made to a person who is subject to FDA jurisdiction and who is responsible for quality safety or effectiveness of an FDA regulated product or activity. 45 CFR 164.512(b)(1)(iii)

    FDA monitoring activities include:

  • Collecting or reporting adverse events, product defects or biological product deviations;
  • Tracking FDA-regulated projects;
  • Enabling product recalls, repairs, replacement or lookback; or
  • Conducting post-marketing surveillance.

    • Disclosures of Limited Data Sets for Research Purposes

    PHI can be disclosed to third parties (including private registries) for research purposes without written authorization of the individual, if:

  • The PHI is a “limited data set”
  • The recipient of the limited data set enters into a Data Use Agreement with the covered entity that meets the standards of 164.514(e)
  • Only the minimum necessary PHI is disclosed

    • Removal of Identifiers

    The following must be removed from the Limited Data Set:

  • Names of the owner of the PHI and his or her family members
  • Street addresses (other than town, city, state and zip code)
  • Telephone numbers
  • Fax numbers
  • E-mail addresses;
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers;
  • Certificate license numbers;
  • Vehicle identifiers and serial numbers, including license plates;
  • Device identifiers and serial numbers;
  • URLs;
  • IP address numbers;
  • Biometric identifiers (including finger and voice prints); and
  • Full face photos (or comparable images)

    • Data Use Agreements

    Because a limited data set is still PHI, the Privacy Rule requires the covered entities to enter into Data Use Agreements with recipients of limited data sets.

    The Data Use Agreements must meet regulatory standards of 45 CFR 164.514(e)(4), as follows:

  • Set forth the permitted uses and disclosures of the limited data set;
  • Identify who may use or receive the information
  • Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as required by law
  • Require the recipient to use appropriate safeguards to prevent a use or disclosure which is not permitted by the agreement
  • Require the recipient to report any such unauthorized use or disclosure to the covered entity of which it becomes aware
  • Require the recipient to ensure that any agents (including a subcontractor), to whom it provides the information will agree to the same restrictions as provided in the agreement
  • Prohibit the recipient from identifying the information or contacting the individuals.

    In addition, covered entities must
  • Take reasonable steps to cure any breach by a recipient of the Data Use Agreement
  • If such steps are unsuccessful, discontinue disclosure under the Data Use Agreement and
  • Report the problem to the Department of Health and Human Services (DHHS)

    Seeker of PHI Can Create the Limited Data Set

    The researcher seeking the PHI can create the Limited Data Set if he/she is acting as a business associate of the covered entity (See 67 Fed. Reg. 53182 at 53237)
    i.e., enters into Business Associate (BA) Agreement with the covered entity that meets the business associate regs

    Can combine BA and Data Use Agreement, as long as both the requirements of the data use agreements and business associate agreements are met.

    Limited Data Sets Subject to Minimum Necessary Standard

  • A limited data set is still PHI, except that specified “direct” identifiers have been removed, consequently the minimum necessary standard applies
  • In short, only the minimum necessary PHI to serve the research purpose can be disclosed in the limited data set
  • The final resulting “limited data set” will driven by the purposes of the research

    • IRB Approval Required?

    Technically, no IRB approval is required to release a Limited Data Set, but:

  • In many covered entities, requests from private registries for research on PHI have normally flowed through the IRB processes anyway
  • IRB may be in a better position to determine the minimum necessary disclosures of PHI should be, consistent with research purposes

    • Recap: Minimum Necessary

    Minimum Necessary standard applies to

  • Public health disclosures including disclosures to public registries
  • Limited Data Sets
  • Research preparatory activities
  • Research on decedent’s PHI
  • Research pursuant to IRB waiver

    Minimum Necessary standard does not apply to
  • De-identified data
  • Statistical or Expert de-identified data
  • Authorized uses/disclosures
    Back to top

    Accounting Rules

    Content of the Accounting

    Must include:

  • A list of all disclosures made without authorization for the period stated in the request, up to six (6) years prior to the date of the request (the “accounting period”)
  • Disclosures made to business associates (BAs) of the covered entity (persons or entities under contract with to assist the covered entity in performing treatment, operations or payment functions)
    - A BA who performed the de-identification or created the limited data set

    For each disclosure made during the accounting period, the response must provide:
  • The date of each disclosure;
  • The name of the recipient of the PHI, and the address of the recipient, if known
  • A brief description of the PHI disclosed
  • A brief statement of the purpose of the disclosure, enough to reasonably inform the requester of the basis for the disclosure.
    - If the disclosure was made for a public health purposes, such as to a public registry, copy of the request for information in lieu of this statement

    Accounting for Research Disclosures

    Accounting requirement applies to disclosures without authorization:

  • Decedent’s PHI for Research
    PHI for Activities Preparatory to Research
  • PHI for Public Health Purposes (Public Registries, FDA Monitoring)
  • PHI Pursuant to IRB Waiver
  • PHI Pursuant to Statistical Waiver

    Accounting requirement does not apply
  • Authorized Disclosures/Uses
  • De-identified Data
  • Limited Data Sets pursuant to a Data Use Agreement (Private Registries)

    Multiple Disclosures for Public Health Purposes

    If, during the accounting period, multiple disclosures were made to the same person or entity for a single permitted public health purposes (such as FDA monitoring or single public health registry), then in addition, the accounting must include:

  • The frequency, periodicity, or number of disclosures made during the accounting period;
  • The date of the last such disclosures

    • Accounting for Disclosures for Particular Research Purposes
    45 CFR 164.528(b)(4)(i)

    If, during the accounting period, disclosures of PHI without authorization, were made for a particular research purpose for 50 or more individuals in accordance with:

  • A waiver of written authorization by the IRB
  • For research preparatory activities
  • For research on decedents’ information for research purposes


    • Accounting for Disclosures for Particular Research Purposes

    Then, the accounting for disclosures must provide:

  • The name of the protocol or other research activity
  • A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records
  • A brief description of the type of PHI that was disclosed
  • The date or period of time during which the disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period
  • The name, address and telephone number of the entity that sponsored the research and the researcher to whom the information was disclosed; and
  • A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity.
  • If it is likely that the PHI of the requester has been disclosed, the covered entity must assist the individual to contact the entity sponsoring the research and the researcher, if it is asked to do so.

    • Transition Provisions: Use and Disclosure of Existing Research Data Bases
    45 CFR 164.532

    Covered entities may use or disclose PHI that was created or received before April 14, 2003 (the “Compliance Date”) if, prior to the Compliance Date:

  • It received authorization or express permission from the individual to use the PHI for research

  • It obtained the informed consent of the individual to participate in research (or the IRB waived informed consent under the Common Rule or an FDA exception)

    However, if informed consent is subsequently sought, then an authorization as required under HIPAA must be obtained. e.g.,
  • Informed consent form is changed because of changes in the study protocol
  • The IRB withdraws the waiver
    Informed consent form is required to be re-submitted in order for IRB approval to be renewed
  • How to administer this effectively is an issue


    • Back to top